The NSA, GCHQ, and Encryption. What’s Going On?

encryptionIn the past few days, more details have emerged about the sheer extent of the surveillance being carried out by both the NSA in America, and GCHQ in the UK.

Whilst the initial news that these intelligence agencies have been intercepting massive amounts of data was a shock, the latest round of news is perhaps the most alarming of all. PRISM had an apparent budget of $25 Million. ‘Bullrun’ has a value of closer to $250 Million.

A surge of web users have reportedly moved to increase the amount of encryption they use on a daily basis after discovering the extent to which their unsecured communications were being monitored. Now, it turns out that that much of that encryption could well have little effect on the ability for Government bodies to snoop.

This is a development that has massive implications for our use of, and dependency on, the Internet itself… yet because of the subject matter, has not garnered as much coverage as it should have. The articles from the Guardian et. al give an insight into what is going on, but do not go into specific details of the technologies at risk, and can be inaccessible to somebody who is not already familiar with issues relating to encryption.

What’s the problem?

  • When encryption first was introduced online, there was a concerted effort by Governments to require systems to have in-built weaknesses to ensure they retained an ability to access it; the ultimate master key. This was defeated after a hard-fought, cross-political campaign. However, the NSA and GCHQ have gone ahead and achieved the same result, without legislation, by utilising their considerable resources.
  • The intelligence agencies have deployed multiple tactics to ensure they have access to data – whether it is encrypted or not.
  • One of the tactics includes the weakening of encryption systems by implementing vulnerabilities into their architecture. This means that even the most theoretically secure encryption services can be exploited to reveal the information.
  • Encryption is not just a tool for political activists or paranoid geeks. Every day we rely on encryption to securely log in to our bank accounts; buy things online; save usernames and passwords; and keep the likes of our Facebook accounts from interference.
  • By systematically targeting encryption to weaken its protections, the NSA and GCHQ are also undermining the integrity of all of our communications online; the basis of the global ‘information economy’.

How can I protect myself?

At the moment, it isn’t clear exactly what services have been manipulated, and what have not. Speculation is rife over whether actual protocols used (such as HTTPS for secure web browsing) have been compromised, or whether it is simply specific companies that have been coerced into providing covert ways into their services. SSL for example – indicated by the presence of the padlock in the address bar – has been shown to be extremely vulnerable given the way that the ‘certificate authorities’ who sign off on the transmission are susceptible to attack. As Orwell Upgraded puts it: ‘Who looks after the keys?’ Even the much lauded article by security expert Bruce Schneier on this topic seems contradictory and unclear in places. (“The NSA has huge capabilities – and if it wants in to your computer, it’s in. With that in mind, here are five ways to stay safe” – Eh?!)

However, this technology is not available to everybody, yet. Your local police force will not have access to this technology, nor your employer, nor the opportunist hacker. It wasn’t too long ago that even Scotland Yard were reporting that the use of TrueCrypt encryption on David Miranda’s laptop rendered the data ‘extremely difficult to access’. The NSA is still reportedly deploying many of the bread-and-butter tactics used by hackers for decades, including brute-force attempts to access accounts by mathematically ‘guessing’ passwords. If they did indeed have a golden bullet to decrypt all secure material, then there would be no need for this. Edward Snowden himself, the exiled NSA contractor who leaked the documents in the first place, has confirmed that ‘properly implemented crypto systems‘ work; the issue being the lack of security that surrounds those systems in the first place.

There are still steps that can be taken to make it more difficult for your data to be accessed. Whilst not ideal, for the everyday web user, taking a few extra steps can mean that your data is less likely to be intercepted than somebody who takes no steps at all. There’s that well-worn tale of the man who, when faced with a lion, puts on trainers. When someone points out that he’ll never be able to out-run such a powerful beast, he simply replies that he only has to out-run everybody else.

No, we don’t know who to trust just now, but you can still take steps to improve your security:

  • Make use of high entropy passwords. Never use the same password for more than one service. LastPass is one of the best ways to manage this. Whilst stored in ‘the cloud’, it makes use of end-to-end encryption, which means only you should theoretically be able to decrypt its contents.
  • Encrypt your data with 4096 bit encryption where possible.
  • Use open source software that can be scrutinised by the online community for weaknesses. Avoid commercial, ‘closed’ software from a vendor that can be more easily manipulated. TrueCrypt is one of the most widely used and respected. Whilst we currently don’t know about its status in this whole affair, it’s one of the best bets.
  • Encrypt your Internet traffic with a VPN, or use Tor.
  • Use extensions such as HTTPS Everywhere to ensure you are always using the most secure version of a website where available.

Make your data as difficult to access as possible. Don’t just leave the door wide open.

What now?

Good question.

  • People need to know about this and why it’s important, not just be blinded by the technical speak. Spread the word, explain to people, and get them to act as well. – (Share This on Twitter)
  • Sign the Electronic Frontier Foundation’s petition to demand answers to what is going on. (US link hereUK/International link here).
  • Write to your local MP and demand that they challenge the UK Government to give answers on this. Write to your MSP and do the same with the Scottish Parliament; it might be a reserved issue, but they still have the power to speak. Cause a fuss until they listen.

This is a dark time for the Internet, but it doesn’t have to stay that way.